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TALK  OUTLINE 

Introducing  QTM 
QuanTM  [1]  Model 

-TDG:  Glue  between  security  &  reputation 

Fundamentals  of  Reputation  Management 
PreSTA  [3]  Reputation  Model 

-  Partial  QTM  use-case 

-  Applicable  for  fighting  spam,  Wikipedia... 

Conclusions 
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QTM  DEFINED 


FSJFenn 

Engineering 


'Trust  Management'  (TM)  aspect 


STATIC  delegation  of  access  rights  between  principals 
using  policy/credentials/conditions 

Implemented  by  a  Policy-based  TM  (PTM)  language 
(i.e.,  KeyNote)  and  evaluator  ('compliance  checker') 


'Quantitative'  (Q)  aspect 

DYNAMIC  weighting  of  above  delegations,  based  on 
reputations  of  those  involved 

Implemented  by  a  Reputation  Management  (RTM) 
algorithm  (PreSTA  [3],  TNA-SL  [4],  EigenTrust  [5]) 
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QTM  DEFINED 
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Engineering 


Policy-Based  Trust  Mgmt.  (PTM) 

Rep-Based  Trust  Mgmt.  (RTM) 

•  Effective  for  delegated  credentials 
and  access  enforcement 

•  Can't  handle  uncertainty  and 
partial  information 

•  Foundation:  Cryptography 

•  Quantifies  trust  relationships 

•  No  delegation  (non-transferable) 

•  No  enforcement 

•  Foundation:  Aggregation  of  past 
behavior  via  feedback. 

n 

r 

QUANTITATIVE  TRUST  MANAGEMENT  (QTM) 


•  Combine  PTM  and  RTM 

•  Dynamic  interpretation  of  authorization  policies 
for  access  control  decisions  based  on  upon 
evolving  reputations  of  the  entities  involved,  and 
environmental  context  at  evaluation-time  [6]. 


QTM  for  CPS 
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MAIN  GOAL 

-  Integrating  cyber  and  physical  trusts 

ISSUES  FORESEEN 

-  Authentication/provenance  of  physical  stimuli 

-  Environmental  uncertainty 

POTENTIAL  USE-CASES 

-  Voting  machines 

-  Emergency  management 


QuanTM  Model 

Combining  TM  and  RM  [1] 
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BUILDING  A  TDG 


Authorizer:  Alice 
Licensees:  (Bob  &&  Charles) 
Conditions: 
operation  == 
rread"  ->  ALLOW 
'execute"  ->  MAYBE 
'write"  ->  DENY 
Signature:  ''rsa-sig:3850../ 
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Trust  Dependency  Graph  (TDG):  Data  structure 
gluing  Policy  and  Reputation  based  TM. 

Above:  An  example  KeyNote  credential 


H  BUILDING  A  TDG  0> 

Fg?Penn  B 

Engineering* 

Authorizer:  Alice 

Licensees:  (Bob  &&  Charles) 
Conditions: 
operation  == 

"read"  ->  ALLOW 
"execute"  ->  MAYBE 
"write"  ->  DENY 

Signature:  "rsa-sig:3850.. " 

A 

Authorizer:  The  person  who  is  "saying"  a 
particular  delegation 
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BUILDING  A  TDG 
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&& 


Charles) 


Authorizer:  Alice 
Licensees:  (Bob 
Conditions: 
operation  == 

"read"  ->  ALLOW 
"execute"  ->  MAYBE 
"write"  ->  DENY 
Signature:  "rsa-sig:3850... 


A 
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Binary  Operator:  Nature  of  the  delegation. 
Here,  "AND"  implies  both  parties  must  be 
present.  KeyNote  also  supports  "OR" 


BUILDING  A  TDG 


Authorizer:  Alice 
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Licensees:  (Bob  &&  Charles) 


Conditions: 
operation  == 

'read"  ->  ALLOW 
"execute"  ->  MAYBE 
"write"  ->  DENY 
Signature:  "rsa-sig:3850... 


u . 


a 
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Licensees:  Those  parties  the  'Authorizer'  is 
delegating  trust  to,  as  constrained  by  the 
binary  operator 
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BUILDING  A  TDG 


Authorizer:  Alice 
Licensees:  (Bob  &&  Charles) 
Conditions: 
operation  == 


FgflFenn 
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>  ALLOW 

_  V 

>  MAYBE 

-> 

DENY 

Signature:  "rsa-sig:3850.. " 


A 


B 


Compliance  values:  Output  of  the  evaluator. 
Varies  based  on  evaluation  of  conditions.  Could 
be  a  binary  YES/NO. 
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ACTUAL  TDG 
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ACTUAL  TDG 


FSFjFfenn 

Engineering 


CREDENTIAL  GROUPS: 


We  divide  can  divide 
portions  of  the  graph 
based  on  the 
credentials  from 
which  they  were 
derived 
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ACTUAL  TDG 


FSFjFfenn 

Engineering 


NULL  NODES: 

(1)  Used  to  make 
graph  explicitly  binary 

(2)  Overwrite 
principals  mentioned 
in  credentials,  but  not 
'present'  in  a 
particular  request 
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TDG  QUESTIONS 
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TDG:  Excellent  representation  of  trust 
dependencies  in  a  KEYNOTE  request 

-  Other  TM  languages? 

We  would  like  to  have  a  TDG  structure 
which  can  encapsulate  the  features  of 
all/general  trust  management  langs. 
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QuanTM  Arch. 


FSJFfenn 

Engineering 
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USING  THE  TDG 


BANK 


Bursar 


Cheryl  Travel 
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BIG  IDEA: 


Each  graph  arc  can  be 
weighted  with  a  value 
speaking  to  the  reputation 
of  connecting  parties. 

These  can  be  collapsed  to 
produce  a  single  TRUST 
VALUE  for  an  entire 
request 
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USING  THE  TDG 


BANK 


Bursar 


Cheryl 


CD 
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BIG  IDEA: 


Each  graph  arc  can  be 
weighted  with  a  value 
speaking  to  the  reputation 
of  connecting  parties. 

These  can  be  collapsed  to 
produce  a  single  TRUST 
VALUE  for  an  entire 
request 
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USING  THE  TDG 


BANK 


Cheryl 


CD 
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Reputation  Rt: 


Arcs  from  operators  to 
principals 


Weight  with  service 
providers  (BANK) 
reputation  valuation  of 
sink  principal 
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USING  THE  TDG 


BANK 


Cheryl 


<D 
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Reputation  Rt: 


Arcs  from  operators  to 
principals 


Weight  with  service 
providers  (BANK) 
reputation  valuation  of 
sink  principal 

*  Magic  numbers 
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USING  THE  TDG 


BANK 


Cheryl 


<D 
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Reputation  R2: 


Arcs  from  principals  to 
operators 


Weight  with  service 
provider's  (BANK)  trust  in 
'the  ability  of  the  source 
principal  to  delegate' 
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USING  THE  TDG 


BANK 
Jr  1.0 

0.95 


UPenn 
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CD 


0.95 


&& 


Bursar  ti 

0.5^  <  NULL 


Cheryl  <D 
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Reputation  R2: 


Arcs  from  principals  to 
operators 


Weight  with  service 
provider's  (BANK)  trust  in 
'the  ability  of  the  source 
principal  to  delegate' 

*  Mention  R3 
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USING  THE  TDG 


BANK 
Jr  1.0 

0.95 


UPenn 


CD 


CD 


0.95 
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Graph  Collapse: 
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USING  THE  TDG 


BANK 

1.0 


CD 


Bursar  MAX 

0.5^  «.  NULL 


S'  \ 


Cheryl 


(D 
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Graph  Collapse: 


*  Swap  out  binary 
operators  for  numeric 
binary  functions 


*  Start  at  TDG-bottom, 
perform  functions,  pass 
resulting  values  up  the 
graph.  Transitivity  handled 
by  multiply. 
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USING  THE  TDG 


BANK 
Jr  1.0 


0.95 


MAX 


UPenn 


CD 


np.  AVG  =MAX(0.5, 
1  ‘  NULL)=0.S 


Bursar  MAX 

0.5^  NULL 


Cheryl 
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Graph  Collapse: 


*  Swap  out  binary 
operators  for  numeric 
binary  functions 


*  Start  at  TDG-bottom, 
perform  functions,  pass 
resulting  values  up  the 
graph.  Transitivity  handled 
by  multiply. 
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USING  THE  TDG 


BANK 
Jr  1.0 


0.95 


MAX 


UPenn 


CD 


Bursar 


MAX 
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Graph  Collapse: 


*  Swap  out  binary 
operators  for  numeric 
binary  functions 


*  Start  at  TDG-bottom, 
perform  functions,  pass 
resulting  values  up  the 
graph.  Transitivity  handled 
by  multiply. 
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USING  THE  TDG 


BANK 
^  1.0 


0.62=0.65*0.95 


MAX 


UPenn 
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Graph  Collapse: 


*  Swap  out  binary 
operators  for  numeric 
binary  functions 


*  Start  at  TDG-bottom, 
perform  functions,  pass 
resulting  values  up  the 
graph.  Transitivity  handled 
by  multiply. 
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USING  THE  TDG 


BANK 
♦  0.62 


MAX 
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Graph  Collapse: 


*  Swap  out  binary 
operators  for  numeric 
binary  functions 


*  Start  at  TDG-bottom, 
perform  functions,  pass 
resulting  values  up  the 
graph.  Transitivity  handled 
by  multiply. 
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QuanTM  Arch. 
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Decision 

Meta-Poli( 


^ctior 
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DECISION  PROCESS 

F5FiPenn  ■ 

Engineering® 

•  There  was  a  an  action  request  made... 

-  The  TM  language  evaluator  outputs  some 
compliance  value,  e.g.,  "MAYBE" 

We  generated  a  TDG,  and  collapsed  it  using 
magic  numbers,  e.g.,  "0.62" 

•  ...  Combining  these  two  things,  and  sufficient 
hand-waving  ->  binary  access  decision 

Cost-benefit  analyses 


QuanTM  Arch. 
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WHAT'S  GAINED 
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TM:  Revocation  difficult  -  One  shouldn't  delegate 
unless  they  completely  trust. 


QTM:  Dynamic  revocation  using  reputation 
QTM:  Safe  to  delegate  in  partial  trust  situations 

TM:  Rights  can  be  delegated  to  principals  that 
service  provider  knows  nothing  about 


QTM:  Can  check  these  new  principals  at  the 
reputation  stage 

RM:  Lacks  enforcement/delegation 
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Rep.  Management 

Aggregating  Behavioral  Feedback 
(and  testing  these  strategies  [2]) 
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REP  MANAGEMENT 

F5gPenn  B 

EngineeringH 

•  DYNAMIC  valuation  using  (in)direct  interaction  history  between  parties 

-  Loose  interpretation:  probability  that  A  trusts  B 

-  Informal;  produces  values  in  [0,1] 

-  Many  different  logics/systems  to  aggregate  feedback 

-  EigenTrust  (Garcia-molina)  and  Subjective-Logic  (Josang) 
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EIGENTRUST  [5] 
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Normalized  vector-matrix  multiply 
aggregation  towards  globally  convergent  view. 

-  Feedbacks  viewed  in  matrix,  normalized 

-  Pre-trust  vector 


A  = 


r% 

73 

7sl 

Vi 

0.35" 
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6/e 
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Va 

^OO  - 
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% 

7  3 

°/s 

[VsJ 

0.16 

tk+i  —  (0.5  *  A  T  *  tk)  +  0.5  *  p 


Converge  to 
relative  values  (t^) 

Elegant  and 
scalable,  but 
normalized,  no 
negative  trust 
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SUBJECTIVE  LOGIC  [4] 
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Trust  4-tuples  (belief,  disbelief,  uncertainty, ...) 

User-centric  trust-graph  decomposition 

Advantages:  Absolute  interpretation  (beta- 
PDF),  user-centric  views,  negative  trust 

Disadvantages:  Scalability,  sparse  scenarios 


Opinion:  (b,  d,  u,  a) 


Transitivity 


Average 


belief  = 

(pas  j  (pos  +  neg  +  2.0)) 

disbelief  = 

(neg/(pas  +  neg  +  2.0)) 

uncertainty  = 

(2.0 /{pos  +  neg  +  2.0)) 

base-rate  = 

J  1.0  if  user  is  pre-tr usted 

1 0.5  otherwise 

A  — ►  B 
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RM  SIMULATOR 
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How  to  test  effectiveness  of  RM  systems? 
Simulator  [2]:  File  exchange  (i.e.,  P2P  network) 

-  Good  files  and  corrupt  files 

-  Behaviors:  Clean-up  and  honesty 


1C  — 


^  valid  files  received  by  ’good’  users 
^  transactions  attempted  by  ‘good1  users. 


Network 
Pa  rams 


Trace 

Generator 


Trace 

File 


Reputation 

Algorithm 

~~r~ 

Trace 

Simulator 


lH 


Output 

Statistics 
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'  EIGEN 


■NONE  -*TNA-SL 


%  Malicious  Providers 


(RIGHT)  Under  complex 
dishonesty  and 
sparseness,  PRE-TRUST 
becomes  very  important. 
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(LEFT)  Under  naive 

circumstances,  all  trust 
algorithms  are  very 
effective  (a  sanity  check). 


i 


6%  17%  29%  40%  51%  63%  74%  86%  97% 

0%  11%  23%  34%  46%  57%  69%  80%  91% 


6%  17%  29%  40%  51%  63%  74%  86% 

0%  11%  23%  34%  46%  57%  69%  80% 


1 EIGEN-0 
•TNA-SL-0 


•EIGEN-5 

■TNA-SL-5 


none  %  Purely  Malicious 


PreSTA  Model 

(Preventative  Spatio-Temporal  Aggregation) 

Preventing  Malicious  Behavior  (Spam)  [3] 
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PreSTA:  BIG  IDEA 


PROBLEM 


SOLUTION 
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Traditional  punishment  mechanisms  (i.e.,  blacklists)  are  reactive 
PreSTA:  Detect  malicious  users  (i.e.,  spammers)  before  harm  is  done 


Malicious  users  are  spatially  clustered  (in  any  dimension) 
Malicious  users  are  likely  to  repeat  bad  behaviors  (temporal) 


A  historical  record  of  those  principals  known  to  be  bad,  and 
the  timestamp  of  this  observation  (feedback) 


An  extended  list  of  principals  who  are  thought  to  be  bad  now, 
based  on  their  past  history,  and  history  of  those  around  them 
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IP  DELEGATION 


•  IP  delegation  hierarchy 
extremely  similar  to  TDG 

•  Exploit  this  fact: 

-  Calculate  reputations  at 
varying  hierarchy  levels 

-  Feedback:  IP  blacklists 

-  Combine  granularities 

•  Can  more  malignants 
(spammers)  be  caught? 
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RIR 


DHCP 

Router 


Machine 
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SPATIO-TEMPORAL 

F5gPenn  B 

HncrjnecrinaB 

TEMPORAL:  Bad  Guys  Repeat  Bad  Behaviors 


Maximize  utilization:  re-use 
Predictable  blacklist  duration 
25%  reappear  within  10  days 


SPATIAL:  Bad  Guys  Live  Together 


AS-29385  IP  Space  1 12,288  IPs  in  256- IP  blocks) 
(Veflrcal  bar  fellies  ncri-contiguous  address  space) 


Corrupt  ISPs:  McColo,  3FN 
Geography  ->  IP  space 
Intra-allocation  spamming 
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PreSTA  Algorithm 
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TO  CALCULATE  REPUTATION  FOR  ENTITY  a: 


time_decay(*):  Returns  on  [0,1],  higher  weight  to  more  recent  events 

magnitude(a):  Number  of  IPs  in  grouping  a 

c|):  Normalization  constant  putting  REP()  on  [0,1] 


PreSTA  Results 
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Captures  up  to  50%  of  mail  not 
caught  by  traditional  blacklists 
with  the  same  low  false-positives 
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We  capture  between  20-50% 
of  spam  that  gets  past  current 
blacklists 

By  design  our  FP-rate  is 
equivalent  to  BLs:  ~0.4% 

Total  blockage  remains  near 
constant:  90% 

Blacklists  are  reactive,  we 
are  predictive.  We  can 
cover  its  slack 

Cat  and  mouse.  Graph 
should  roll  over  time 
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PreSTA  Results 
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(RIGHT)  Probable  botnet 
attack  which  our  metric 
could  mitigate  via  both 
temporal/spatial  means 
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(LEFT)  Temporal  (single  IP) 
example  where  our  metric 
could  mitigate  spam 
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PreSTA:  Wikipedia 
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PURPOSE:  Build  a  blacklist  of  user-names/IPs 
based  on  the  probability  they  will  vandalize 


•  Straightforward,  vandals  are  probably  repeat  offenders 

•  Registered  users  have  IDs  indicating  when  they  joined,  are  new  users 
more  likely  to  vandalize? 


'  '  \ 

•  Geographical:  Based  on  user  location  (i.e.,  Wash.  D.C.) 

•  Topical:  A  user  may  vandalize  one  topic  (Rush  Limbaugh),  while  properly 
editing  another  (Barack  Obama) 

•  Anonymous  users:  IP  address  properties 


\ 

•  Certain  administrators  have  rollback  (revert)  privileges 

•  Comment:  "Reverted  edit  by  X  to  last  edition  by  Y" 

_ _ _ _ _ / 
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TEMPORAL 


SPATIAL 


V  V 


FEEDBACK 


CONCLUDING  (ALL) 
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•  Quantitative  Trust  Management  (QTM) 

-  Combines  Policy-based  and  Reputation-based  TM 

•  QuanTM  [1]  framework 

-Theoretical  underpinnings  of  combination 

-  TDG  as  the  shared  data-structure 

-  Partial  applications: 

•  Simulator  [2]  for  reputation-component 

•  PreSTA  [3]:  Reputation  incorporating  properties  of  a 
hierarchical  delegation  (as  in  PTM) 
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